Banking Regulators Issue Data Breach Rules

The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Office of Thrift Supervision jointly announced the rules March 23. They also released a 66-page guidance document, "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice."

Effective immediately, the rules mandate that financial institutions implement a response program to address security breaches of personally identifiable customer information, including notification of consumers when substantial harm or inconvenience is likely.

After assessing the situation, "If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible," according to the guidance.

Regardless of whether consumer notification is warranted, institutions must notify their primary federal regulator of all security breaches involving sensitive customer information under the rules. However, notification may be delayed for law enforcement purposes.

Though the rules do not apply to ChoicePoint, LexisNexis or other data companies that have suffered breaches recently, they do apply to Bank of America. The financial institution made news in late February when it said that some of its computer data tapes containing personal and account information for 1.2 million federal government charge card program customers were lost during shipment to a backup data center.

Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters